import { Callout } from "nextra/components"
import { Code } from "@/components/Code"

<img align="right" src="/img/providers/authentik.svg" height="64" width="64" />

# Authentik Provider

## Resources

- [Authentik OAuth documentation](https://goauthentik.io/docs/providers/oauth2)

## Setup

### Callback URL

<Code>
  <Code.Next>

```bash
https://example.com/api/auth/callback/authentik
```

  </Code.Next>
  <Code.Qwik>

```bash
https://example.com/auth/callback/authentik
```

  </Code.Qwik>
  <Code.Svelte>

```bash
https://example.com/auth/callback/authentik
```

  </Code.Svelte>
</Code>

### Environment Variables

```
AUTH_AUTHENTIK_ID
AUTH_AUTHENTIK_SECRET
AUTH_AUTHENTIK_ISSUER
```

### Configuration

<Code>
  <Code.Next>

```ts filename="/auth.ts"
import NextAuth from "next-auth";
import Authentik from "next-auth/providers/authentik";

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [Authentik({
    clientId: AUTH_AUTHENTIK_CLIENT_ID
    clientSecret: AUTH_AUTHENTIK_CLIENT_SECRET
    issuer: AUTH_AUTHENTIK_ISSUER
  })]
});
```

  </Code.Next>
  <Code.Qwik>
  
```ts filename="/src/routes/plugin@auth.ts"
import { QwikAuth$ } from "@auth/qwik"
import Authentik from "@auth/qwik/providers/authentik";

export const { onRequest, useSession, useSignIn, useSignOut } = QwikAuth$(
  () => ({
    providers: [
      Authentik({
        clientId: import.meta.env.AUTH_AUTHENTIK_CLIENT_ID
        clientSecret: import.meta.env.AUTH_AUTHENTIK_CLIENT_SECRET
        issuer: import.meta.env.AUTH_AUTHENTIK_ISSUER
      })
    ],
  })
)
```

  </Code.Qwik>
  <Code.Svelte>

```ts filename="/src/auth.ts"
import { SvelteKitAuth } from "@auth/sveltekit";
import Authentik from "@auth/sveltekit/providers/authentik";

export const { handle, signIn, signOut } = SvelteKitAuth({
  providers: [Authentik({
    clientId: AUTH_AUTHENTIK_CLIENT_ID
    clientSecret: AUTH_AUTHENTIK_CLIENT_SECRET
    issuer: AUTH_AUTHENTIK_ISSUER
  })]
});
```

  </Code.Svelte>
  <Code.Express>

```ts filename="/src/app.ts"
import { ExpressAuth } from "@auth/express";
import Authentik from "@auth/express/providers/authentik";

app.use("/auth/*", ExpressAuth({
  providers: [Authentik({
    clientId: AUTH_AUTHENTIK_CLIENT_ID
    clientSecret: AUTH_AUTHENTIK_CLIENT_SECRET
    issuer: AUTH_AUTHENTIK_ISSUER
  })]
}));
```

  </Code.Express>
</Code>

<Callout>
  issuer should include the slug without a trailing slash – e.g.,
  https://my-authentik-domain.com/application/o/My_Slug
</Callout>
